On 06/25/2012 11:08 PM, Jay Sulzberger wrote:
> Is there a hardware switch or jumper that can be set so that no
> modification of the firmware is possible? My question here is:
> if I have gross physical possession of the hardware can I disable
> firmware updates done just via code running on the x86/UEFI
> chips?
There's no real guarantee that any particular machine will have any physical
switch, but that doesn't mean you can't just /not run/ the software that
does the updates.
> Will the UEFI be able to send and receive information over a
> local network, say via Ethernet? That is, without an old
> fashioned "kernel" being booted. By "old fashioned" I mean
> something like the Linux kernel, which, I think runs, usually, in
> a "space" different from the space where UEFI code runs?
Some vendor's firmware could, in theory, do that. It's not part of the spec.
>>> 3. If booting a standard style of kernel is required to revoke,
>>> at the command of Hardware Key Central, signing keys, then the
>>> standard kernel must be capable of receiving and interpreting
>>> such commands,
>>>> Well, the kernel wouldn't really be the responsible code here. Most
>> likely we'll make that a package update and use rpm %post scripts to
>> apply changes.
>> I will attempt to think about this.
I hope everything comes out okay.
> I know that UEFI hardware is available.
>> Which hardware do you recommend, if I want to actually see the
> UEFI and perhaps try it out?
I'm really, *really* not in the business of recommending hardware. There
are various sites on the internet that do that exclusively. One of them has
probably figured out that they should be thinking about UEFI by now.
--
Peter